Skip to content

T-IMPACT-002: no rate limiting validated, gateway resilience PR submitted #14

New issue
New issue
Open
Open
T-IMPACT-002: no rate limiting validated, gateway resilience PR submitted#14
@Techris93

Description

@Techris93
Techris93
opened on Mar 4, 2026

Summary

Validated T-IMPACT-002 (Resource Exhaustion) against a local gateway instance. The threat model lists mitigation as "None" and recommends "per-sender rate limits, cost budgets, circuit breakers."

Reproduction

HTTP — zero throttling

for i in $(seq 1 50); do
  curl -s -o /dev/null -w "%{http_code} " http://localhost:18789/
done
# Output: 200 200 200 200 ... (50x 200, zero 429s)

No X-RateLimit-* headers in any response. Clients have no way to know their quota or when to back off.

WebSocket — pre-auth flood

WebSocket upgrades are accepted before authentication (challenge-response pattern). An attacker can open unlimited connections that hold file descriptors and memory without ever completing the challenge.

Model API — no cost controls

There are no circuit breakers or spend limits on model API calls. A misbehaving agent or prompt loop can rack up unbounded API costs.

Proposed Mitigations (PR submitted)

I've submitted a hardening PR to openclaw/openclaw with three standalone modules:

  • ws-connection-limiter.ts — Per-IP limit on pre-auth WebSocket connections (default: 10) with challenge timeout (default: 30s). Prevents fd exhaustion from connection floods.

  • rate-limit-headers.ts — Sliding-window X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and Retry-After headers per IETF draft-polli-ratelimit. Trusted proxy support via configurable allowlist.

  • cost-circuit-breaker.ts — Three-state breaker (closed/open/ half-open) tracking rolling model API spend. Trips at configurable threshold (default: $10/hr), auto-recovers after cooldown with probe timeout to prevent stuck states.

PR: https://github.com/Techris93/openclaw/pull/33297

Trust Model Alignment

Defaults are intentionally generous (120 req/min, 10 pending WS, $10/hr model spend). Operators can disable any module via config. These are defense-in-depth improvements, not security boundary changes.

Environment

OpenClaw: latest main (cloned fresh)
OS: macOS + Kali Linux
Node.js: v22.12.0+

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions